Sign in to follow this  
Followers 0
Jeff G.

FAQ Entry: The Link Analysis Process

52 posts in this topic

Just to add my 2 cents, the failure on the parsers part to resolve urls is of concern to me too, as I have said before in other posts about this subject.  So there are others here that feel getting the websites reported is important.

41455[/snapback]

...And I hope they will band together to commission a tool that will report spamvertized websites and do it well. SpamCop is not that tool and it appears that (unless a miracle happens and the things that have been keeping Julian and the Deputies busy ensuring that the parser works well in finding the source of the spam e-mails) it never will.

Share this post


Link to post
Share on other sites

(unless a miracle happens and the things that have been keeping Julian and the Deputies busy ensuring that the parser works well in finding the source of the spam e-mails)

I think the parser often gets the source wrong! Often it or gives the spammers email address as a reporting address - how and why does the parser give the address royir143[at]hotmail.com as a valid spam reporting email adddress (see below) ?!!! Surely it must be possible to have a system where anything other than abuse[at]hotmail.com is discarded as fake. I really think the spammers are one step ahead here and are actively building a database of users who report spam. They can then use this for a variety of uses like refining spam to evade the pharser, using reporters of spam to maliciously report legitimate websites, or more worryingly set DDos attacks and virus campaigns...

Tracking message source: 124.106.177.207:

Routing details for 124.106.177.207

[refresh/show] Cached whois for 124.106.177.207 : rrdelavega[at]pldt.com.ph nctabernilla[at]pldt.com.ph ssmiguel[at]pldt.com.ph riresurreccion[at]pldt.com.ph jcgonzales[at]pldt.com.ph vrortiz[at]pldt.com.ph royir143[at]hotmail.com

Using last resort contacts rrdelavega[at]pldt.com.ph nctabernilla[at]pldt.com.ph ssmiguel[at]pldt.com.ph riresurreccion[at]pldt.com.ph jcgonzales[at]pldt.com.ph vrortiz[at]pldt.com.ph royir143[at]hotmail.com

Message is 4 hours old

124.106.177.207 not listed in dnsbl.njabl.org

124.106.177.207 not listed in dnsbl.njabl.org

124.106.177.207 not listed in cbl.abuseat.org

124.106.177.207 not listed in dnsbl.sorbs.net

124.106.177.207 not listed in relays.ordb.org.

124.106.177.207 not listed in accredit.habeas.com

124.106.177.207 not listed in plus.bondedsender.org

124.106.177.207 not listed in iadb.isipp.com

Finding links in message body

Parsing text part

no links found

Please make sure this email IS spam:

From: "Phyllis Honeycutt" <tkynqmck[at]ainsight.com> (FWD: Big news shows promise)

Did not par ticularly enjoy your previous tra ding day? Don?t focus on that. Mov

e on to your most successful one with the tips I listed below! You?ll come out o

View full message

Report spam to:

Re: 124.106.177.207 (Administrator of network where email originates)

To: royir143[at]hotmail.com (Notes)

To: vrortiz[at]pldt.com.ph (Notes)

To: jcgonzales[at]pldt.com.ph (Notes)

To: riresurreccion[at]pldt.com.ph (Notes)

To: ssmiguel[at]pldt.com.ph (Notes)

To: nctabernilla[at]pldt.com.ph (Notes)

To: rrdelavega[at]pldt.com.ph (Notes)

Re: 124.106.177.207 (Third party interested in email source)

To: Cyveillance spam collection (Notes)

Share this post


Link to post
Share on other sites

I think the parser often gets the source wrong! Often it or gives the spammers email address as a reporting address - how and why does the parser give the address royir143[at]hotmail.com as a valid spam reporting email adddress

<snip>

...*shrug* To what e-mail address would you suggest reporting spam from this IP address, given the following?
APNIC whois for 124.106.177.207[/url]]inetnum: 124.104.0.0 - 124.107.255.255

netname: IPG

descr: IPG

descr: Philippine Long Distance Telephone Company

country: PH

tech-c: RD18-AP

tech-c: JG149-AP

tech-c: NT80-AP

tech-c: VO2-AP

tech-c: SM140-AP

admin-c: RR5-AP

mnt-by: APNIC-HM

mnt-lower: PHIX-NOC-AP

status: ALLOCATED PORTABLE

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

remarks: This object can only be updated by APNIC hostmasters.

remarks: To update this object, please contact APNIC

remarks: hostmasters and include your organisation's account

remarks: name in the subject line.

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

changed: hm-changed[at]apnic.net 20060213

changed: hm-changed[at]apnic.net 20060220

source: APNIC

person: Roy I Resurreccion

address: Philippine Long Distance Telephone Company

address: 14/F Ramon Cojuangco Building

address: Makati Avenue, Makati City 1200, Philippines

country: PH

phone: +63-2-810-4070

fax-no: +63-2-894-5332

e-mail: riresurreccion[at]pldt.com.ph

e-mail: royir143[at]hotmail.com

nic-hdl: RR5-AP

mnt-by: MAINT-PH-PLDT-ENGG

changed: riresurreccion[at]pldt.com.ph 20011016

source: APNIC

person: Jaime Gonzales

nic-hdl: JG149-AP

e-mail: jcgonzales[at]pldt.com.ph

address: PLDT Co., 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City

phone: +63-2-864-5752

fax-no: +63-2-813-5794

country: PH

changed: jcgonzales[at]pldt.com.ph 20040719

mnt-by: PHIX-NOC-AP

source: APNIC

person: Rowell Dela Vega

nic-hdl: RD18-AP

e-mail: rrdelavega[at]pldt.com.ph

address: PLDT Co., 3/F MGO Bldg., Legaspi cor. Dela Rosa Sts., Makati City

phone: +632-864-5752

fax-no: +632-813-5794

country: PH

changed: jcgonzales[at]pldt.com.ph 20040719

mnt-by: PHIX-NOC-AP

source: APNIC

person: Noel Tabernilla

nic-hdl: NT80-AP

e-mail: nctabernilla[at]pldt.com.ph

address: PLDT Co., 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City

phone: +632-864-5752

fax-no: +63-2-813-5794

country: PH

changed: jcgonzales[at]pldt.com.ph 20040719

mnt-by: PHIX-NOC-AP

source: APNIC

person: Sonny Miguel

nic-hdl: SM140-AP

e-mail: ssmiguel[at]pldt.com.ph

address: PLDT Co.

address: 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City 1229

phone: +632-864-5752

fax-no: +63-2-813-5794

country: PH

changed: jcgonzales[at]pldt.com.ph 20040927

mnt-by: PHIX-NOC-AP

source: APNIC

person: Victor Ortiz

nic-hdl: VO2-AP

e-mail: vrortiz[at]pldt.com.ph

address: PLDT Co.

address: 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City 1229

phone: +632-864-5752

fax-no: +63-2-813-5794

country: PH

changed: jcgonzales[at]pldt.com.ph 20050321

mnt-by: PHIX-NOC-AP

source: APNIC

...Seems to me that the SpamCop parser's decision was consistent with the available information for this IP address ....

Share this post


Link to post
Share on other sites
...*shrug* To what e-mail address would you suggest reporting spam from this IP address, given the following?...Seems to me that the SpamCop parser's decision was consistent with the available information for this IP address ....

I know the parser is using the info provided for that IP, my point was, why does the parser not filter out donaldduck[at]hotmail.com and discard it as fake.

Whenever I question the reliability of the parser at locating referenced websites, people are very quick to pipe up that this is not what the parser is for, and all the efforts are put in to detecting the source of the spam. My point is that quite often it does not do that very efficiently. Who wants to send spammers confirmation that their email address is live, and actively reports spam and yet the parser allows this with surprising ease. I know you can untick specific addresses, but surely anything [at]gmail.com or [at]hotmail.com or [at]geocities.com that isn't abuse[at] or postmaster[at] is fake, the parser should be smart enough to discard anything that is obviously fake.

Share this post


Link to post
Share on other sites
I know the parser is using the info provided for that IP, my point was, why does the parser not filter out donaldduck[at]hotmail.com and discard it as fake.

Whenever I question the reliability of the parser at locating referenced websites, people are very quick to pipe up that this is not what the parser is for, and all the efforts are put in to detecting the source of the spam. My point is that quite often it does not do that very efficiently. Who wants to send spammers confirmation that their email address is live, and actively reports spam and yet the parser allows this with surprising ease. I know you can untick specific addresses, but surely anything [at]gmail.com or [at]hotmail.com or [at]geocities.com that isn't abuse[at] or postmaster[at] is fake, the parser should be smart enough to discard anything that is obviously fake.

...The parser is just a tool. It's our job, as users, to use the tool appropriately. Not all of us (necessarily) want the parser to make decisions such as you propose for us .... :) <g>

Share this post


Link to post
Share on other sites
I know you can untick specific addresses, but surely anything [at]gmail.com or [at]hotmail.com or [at]geocities.com that isn't abuse[at] or postmaster[at] is fake, the parser should be smart enough to discard anything that is obviously fake.

Not true, anyone can use one of these addresses to register their domain, sometimes for legitimate reasons (If my domain is expired, how will I get email to account[at]mydomain if that is my only email account?) And spamcop does go as far as the registration info to find reporting addresses.

Searching for specific strings (daffyduck) would be a terible procedure to start doing just for the overall speed of the parsing.

Share this post


Link to post
Share on other sites
I know you can untick specific addresses, but surely anything [at]gmail.com or [at]hotmail.com or [at]geocities.com that isn't abuse[at] or postmaster[at] is fake, the parser should be smart enough to discard anything that is obviously fake.
<snip>Searching for specific strings (daffyduck) would be a terible procedure to start doing just for the overall speed of the parsing.
...In all fairness to oldskoolflash (although I disagree with his suggestion), that would not be necessary -- just ignore anything that isn't of the form "abuse[at]<host>" for selected hosts, such as hotmail.com and yahoo.com.

Share this post


Link to post
Share on other sites

Can we have this stated clearly and unambiguously?

1. Assume that the name of my site is: wonderfulsite.com

2. spam arrives with obfuscated links and appears to be from superguy[at]wonderfulsite.com.

Most details in the spam e-mail refer to superguy[at]wonderfulsite.com

3. Despite this, I should report it.

No ISP will misinterpret this and start blocking wonderfulsite.com

Am I getting that right?

Send the spam report! Even if the 'from' field is my own domain!

The consequences will be OK!

Right?

Please reassure me. That's what I understand from the discussion so far, but it seems a tad unlikely as a conclusion.

Perhaps the following is relevant.

Issue - refresh button.

There's a lot of discussion above about the 'refresh' button or function, but I don't see any 'refresh' button on Spamcop, and using the browser refresh button doesn't achieve any result.

Could someone spell out in simple language what refresh button/function is meant in this context? As much as I try to 'refresh', the "from" field is still superguy[at]wonderfulsite.com

Sorry to be obtuse, but I'm just trying to follow the procedures. 50% of all spams that arrive now have cloaked or obfuscated urls

Share this post


Link to post
Share on other sites
Can we have this stated clearly and unambiguously?

Actually, not sure .. your query/scenario isn't actually unambiguous unfortunately.

1. Assume that the name of my site is: wonderfulsite.com

2. spam arrives with obfuscated links and appears to be from superguy[at]wonderfulsite.com.

Most details in the spam e-mail refer to superguy[at]wonderfulsite.com

3. Despite this, I should report it.

No ISP will misinterpret this and start blocking wonderfulsite.com

Am I getting that right?

Not sure. You have decided to seemingly include e-mail addresses, URIs, and Domain names. These items are not to be treated the same, especially in reference to the parsing and reporting codebase.

Send the spam report! Even if the 'from' field is my own domain!

The consequences will be OK!

In general, yes. The included e-mail address references will not be Reported anywhere, your From: address is generally munged, so the only Report recipients would be the source of the spam e-mail itself and the identified 'concerned party' involved with any (resolved) URLs.

Issue - refresh button.

There's a lot of discussion above about the 'refresh' button or function, but I don't see any 'refresh' button on Spamcop, and using the browser refresh button doesn't achieve any result.

Could someone spell out in simple language what refresh button/function is meant in this context? As much as I try to 'refresh', the "from" field is still superguy[at]wonderfulsite.com

By using either checkboxes provided or going into Preferences for your Reporting Account, one need to turn on the Full/Complete Technical Details ... which will change the way the Parsing results are displayed. Certin results/targets will include a "Refresh Cache" option/link. Depending on the specific data, resource, and target involved, this function may work, may be locked out, may not be allowed for a number of reasons.

Share this post


Link to post
Share on other sites

"so the only Report recipients would be the source of the spam e-mail itself and the identified 'concerned party' involved with any (resolved) URLs."

Huh? Why would the source of the spam e-mail receive a report?

Share this post


Link to post
Share on other sites
...Huh? Why would the source of the spam e-mail receive a report?
Because they (network administrators) will (hopefully) work out where the (typically) bot-netted machine that is spewing the spam is in their network and cut it off. They're the only ones that can do that if a consumer-level dynamic link address is being used for internet connection by the offending machine.

spam sending is prohibited by the 'rules' of the network owners, most spam comes from forged addresses and through zombie machines without the knowledge or agreement of the machine's owner. If they (machine owners) *are* doing it knowingly they will still be shut down - and may face prosecution as well. Some countries are thinking about making the owners of the machines responsible even if they don't know it has been taken over by the powers of evil (phrase used jokingly, most of us aren't quite that fanatical though there may be exceptions).

If you want some background to how the spammers work you could do a lot worse than have a look at Rick Conner's website - http://www.rickconner.net/spamweb/ - where Rick explains it. There's plenty more information on these pages too.

Share this post


Link to post
Share on other sites
"so the only Report recipients would be the source of the spam e-mail itself and the identified 'concerned party' involved with any (resolved) URLs."

Huh? Why would the source of the spam e-mail receive a report?

Trying to guess that perhaps you are confusing the From: address with the IP Address of the sending e-mail server ... yet, even you mentioned the "even if the From: field is my own Domain" which made it sound as if you were aware of the normal mode these days of forged From: line data. However, guessing is way too hard and too much work.

Share this post


Link to post
Share on other sites
Huh? Why would the source of the spam e-mail receive a report?

Trying to guess that perhaps you are confusing the From: address with the IP Address of the sending e-mail server ... yet, even you mentioned the "even if the From: field is my own Domain" which made it sound as if you were aware of the normal mode these days of forged From: line data. However, guessing is way too hard and too much work.

I've even had an incoming spam with a forged "Reply-to:" addresses using my own domain. I suspect that it could be a variant of the spam technique that utilizes backscatter to get the spam through, but I only recall noticing one such email.

Share this post


Link to post
Share on other sites

Some high-volume spammers use the same list for both their target "To:" address and the forged "From:" and/or "Reply-to:" address. The differences in the use of the forged address and the "To:" addresses from that same list are that there might be tens of thousands (or more) different "To:" addresses, all using the same "Reply-to:" address (for one or more complete spam runs) - and that they seem to rotate the "Reply-to:" addresses fairly regularly. But of course the actual IP addresses (there will be many) of the sender will be totally wrong for the purported sender email address (just the one for this type).

Yes, it seems uncanny to receive a spam apparently from yourself or with reply to yourself (if doing "long" reporting you never forget the first time, those doing "quick" reporting probably don't even notice) but usually it doesn't happen very often, your address has been picked out of the very big pool when it is your "turn" to be the forged sender.

The fun starts when they have a bad list (they don't care, they're not paying for the volume of mail), with valid domains but abandoned or otherwise invalid user parts of the address. Then you stand to receive many thousands of misdirected bounces from clueless mail admins returning all that "undelivered mail" to your innocent address. I don't think that (in the usual case) the backscatter is deliberate, much of it consists of simple NDRs without the original spam - depends on the policy of the "bouncer". But it still happens, apparently, although the RFC which gave the practice some justification has been superseded for years.

There is also some thought that another type of spammer, using a crafted low-volume approach, might specifically use your own address as sender to try to get through your mail filters (any whitelisting you might have of your own address).

One way or another, just about anyone should certainly anticipate seeing spam from (or reply to) themselves, at least occasionally. Sender validation checks, greylisting, message-ID verification (for bounces), who knows what else, might eventually eliminate much of it - perhaps those are starting to do that already.

Share this post


Link to post
Share on other sites

The reporting tool is missing the spamvertised website mentioned in the headers and the body of

the spam below (my email and others obfuscated for privacy reasons). The name of the domain

is workfor375.com.

I had to do the legwork myself and reported that domain, the domain it redirects to (trustedssurveys.com)

and the domain that webpage contains a link to (trustedsurveys.com) as well as all three IP addresses to

their respective hosting/allocating companies.

When I used spamcop on the spam below, all it reported to was Yahoo.

============================================================

Return-path: <thezeroplan128[at]yahoo.com>

Envelope-to: <OBFUSCATED FOR PRIVACY REASONS>

Delivery-date: Sun, 06 May 2012 03:34:52 -0500

Received: from nm16-vm1.bullet.mail.bf1.yahoo.com ([98.139.213.131])

by server509.webhostingpad.com with smtp (Exim 4.69)

(envelope-from <thezeroplan128[at]yahoo.com>)

id 1SQwvY-0047HO-EC

for <OBFUSCATED FOR PRIVACY REASONS>; Sun, 06 May 2012 03:34:52 -0500

Received: from [98.139.212.151] by nm16.bullet.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000

Received: from [98.139.212.240] by tm8.bullet.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000

Received: from [127.0.0.1] by omp1049.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000

X-Yahoo-Newman-Property: ymail-5

X-Yahoo-Newman-Id: 248258.25919.bm[at]omp1049.mail.bf1.yahoo.com

Received: (qmail 95838 invoked by uid 60001); 6 May 2012 08:34:47 -0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1336293287; bh=iLdWCppUyJWwtTtwpaXIbQtCd9bWuEy8P1VLHBZrY58=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type; b=pOe5jE9noygec3LcP2Sjhym3zN39aNMDzO3lttjyLv4ZXtBfhSuAEXTLCSYnAGyeF1rOEPwYPpX/zgufkDjB9I1OX/TmpB7QA9ABKWwbAeC6uT6VgkzBlBY8CAdyhPwc2zxLGSErr9xUIu90fQDJZ0uMpQe9NnWnu+EbxLUYgXQ=

DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;

s=s1024; d=yahoo.com;

h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type;

b=TQtMk7TgXQUstyeoWuy4IpDHpe+J0e5rmgOjP2I/N6nxZwzXquRJTisZbxZmaTYM4d+ilUxpuaavJRvK7IUQLbz2M//u0U2W1uiGGGDX0pvZrnuKM8jX6ih4wwIvhRTCpA0SSpX0QJX5tCW1F7L7IJjnGwADG7SaBQR/2J6nKDk=;

X-YMail-OSG: hkaRdlgVM1nA_VtrXS9FUDyXbNIPiQWwpyk9_qhcYl91fZx

VT1v0yTlsHH.VWiJ52buboOrlac6qHn6Fe27BqOODJn4zVHpUgTRl3gnCuzq

laRah9rIxXvfaymszNJgt1VbR28ikBURSt1vU10qnvMjS1.8omc7ubB6V0_a

3U5dFqmypzclf0XLA_ViVk7NNvgM.uExTBVVX2nsppmaZQMo8veRRGuYjAWi

OhdDO8HXOMtn4jEXDOu9p6VG1iCJ1Cddz9_71lJZuNCpgQ7ApubIRmb3yptO

6fXZaQbNGRlbIEe_OCTmGmfgfsoPj8o3sHe.r_Dit4ngxjegnh6_lyfIz85c

L40gRPiZj1FWPpROvutCUgPZeieeR5y1IyAtpZNuOXatv4pGxAy5PZuX3.uw

PkURDkjX3wq8hhUSdPO5dUA36jBdNYRQIzHYv8nhp6KfoEEuU.ymszV7vetj

htwBD4eh07UKioGBvrbiJ465XCcGfIFGjfOE.YD8xCnZKiaKSxX.fhlBM3_B

NqFcztSaPfspD4EafY4IO4v_mnMp9x9IJ6ALhyFn0JORf2HRyZjYBtdnMVXW

pWWpJ0cQ2ykCeVbe0_40MQUhpKRku3YU-

Received: from [178.88.10.39] by web161802.mail.bf1.yahoo.com via HTTP; Sun, 06 May 2012 01:34:47 PDT

X-Mailer: YahooMailWebService/0.8.117.340979

Message-ID: <1336293287.86220.YahooMailRC[at]web161802.mail.bf1.yahoo.com>

Date: Sun, 6 May 2012 01:34:47 -0700 (PDT)

From: Jake Bufton <thezeroplan128[at]yahoo.com>

Reply-To: Jake Bufton <thezeroplan128[at]yahoo.com>

Subject: hey, i have a question about your ad

To: mikaisme at hotmail dot com [NOTE: probably a test address or a mailing list address]

Cc: <OBFUSCATED FOR PRIVACY REASONS>

MIME-Version: 1.0

Content-Type: text/plain; charset=us-ascii

X-spam-Status: No, score=1.7

X-spam-Score: 17

X-spam-Bar: +

X-Ham-Report: spam detection software, running on the system "server509.webhostingpad.com", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

the administrator of that system for details.

Content preview: Hey, I like working with people that post ads online, since

I already know that you basically know your way around a computer. I need

a few people here in town for some part-time help with some online work that

I have. The work is very easy, but it's too much for me to by myself, so

I thought that I'd email a few people and see if you'd be interested. [...]

Content analysis details: (1.7 points, 4.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[98.139.213.131 listed in list.dnswl.org]

1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist

[uRIs: workfor375.com]

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

(thezeroplan128[at]yahoo.com)

0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit

(jake bufton <thezeroplan128[at]yahoo.com>

)

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit (thezeroplan128[at]yahoo.com)

-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%

[score: 0.0000]

1.5 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)

[uRIs: workfor375.com]

X-spam-Flag: NO

Hey,

I like working with people that post ads online,

since I already know that you basically know your

way around a computer. I need a few people here

in town for some part-time help with some online

work that I have. The work is very easy, but it's too

much for me to by myself, so I thought that I'd email

a few people and see if you'd be interested.

Just go to my website for more information

and to apply if you're interested:

WorkFor375.com

Just copy and paste the above link

into your web browser.

****************************************

If you don't want to receive any

more email from us, just go to

WorkFor375.com/remove

****************************************

Edited by ssybesma

Share this post


Link to post
Share on other sites

The reporting tool is missing the spamvertised website mentioned in the headers and the body of

the spam below (my email and others obfuscated for privacy reasons). The name of the domain

is workfor375.com. ...

Hi ssybesma.

Yes, unlike your browser, the parser won't take an implied link like WorkFor375.com and treat it as a link (which is one reason why the spammers/authors don't put in the full link) If it had the http:// bit in front of it, it would be processed. I dummied a submission (and cancelled it) - http://www.spamcop.net/sc?id=z5322915931za...00961daa75b681z

You can see it would work then, but can't pick up the redirection.

SpamCop is all about finding the e-mail source. You need to go to other tools to address the "spamvertized" links with full rigour. There are all sorts of problems and solutions associated with the links both innocent and spammy that can be found in a spam e-mail. See http://forum.spamcop.net/forums/index.php?showtopic=12362 for a recent discussion of another type of link resolution problem and some links to those other tools. See http://forum.spamcop.net/forums/index.php?showtopic=4085 for some background, if you haven't looked there already.

Steve

Share this post


Link to post
Share on other sites

Hi ssybesma.

Yes, unlike your browser, the parser won't take an implied link like WorkFor375.com and treat it as a link (which is one reason why the spammers/authors don't put in the full link) If it had the http:// bit in front of it, it would be processed. I dummied a submission (and cancelled it) - http://www.spamcop.net/sc?id=z5322915931za...00961daa75b681z

You can see it would work then, but can't pick up the redirection.

SpamCop is all about finding the e-mail source. You need to go to other tools to address the "spamvertized" links with full rigour. There are all sorts of problems and solutions associated with the links both innocent and spammy that can be found in a spam e-mail. See http://forum.spamcop.net/forums/index.php?showtopic=12362 for a recent discussion of another type of link resolution problem and some links to those other tools. See http://forum.spamcop.net/forums/index.php?showtopic=4085 for some background, if you haven't looked there already.

Steve

Very EXCELLENT reply Steve (my name is Steve as well).

How would I go about 'dummying' the submission to add the spamvertised website? I will check out the tools you mentioned, so that may take out the necessity of doing it that way and make my question moot.

The other thing I was thinking about, is that there is probably a better strategy of reporting spamvertised websites in the case of a redirected domain and a link to a domain.

I should probably go after the domain at the end of the line and work my way up, because if the domains farther out get reported last, they may not see the connection to the domain that I had to get to before that one if it was shut down already.

I didn't think about that initially and reported workfor375.com first (yesterday), then the redirected domain trustedssurveys.com right afterward, and then the link from the redirected domain (trustedsurveys.com) was reported today.

Shoulda did it the other way. Oops!

Edited by ssybesma

Share this post


Link to post
Share on other sites

Hi, Steve,

<snip>

(my name is Steve as well).

...That's three of us! :)
How would I go about 'dummying' the submission to add the spamvertised website?

<snip>

...That's not advised -- see SpamCop FAQ (to which links may be found near the top left of each SpamCop Forum page) articles labeled "-------> Material changes to spam - Updated!" and "-----> What if I break the rule(s)?" Steve (Farelf) did it only to illustrate his point, then canceled it so he would not violate the rules.

Share this post


Link to post
Share on other sites

Hi again Steve. As Steve T says, quite simply you cannot dummy a submission to make the parser find something it couldn't do by itself and then send the report as if the parser had done it all. That's the "material changes" rule - http://www.spamcop.net/fom-serve/cache/283.html You can always use the parser to find reporting addresses with manually altered data but you can't alter the spam that is reported.

Seems frustrating I know but SC relies on INTEGRITY which is closely guarded to maintain credibility and cooperation within the internet community. That's why those other tools are needed (instead of SC reports) and the SCbl handles only e-mail originating IP addresses, not web sites. Reports to the associated network admins are a courtesy only, in the hope they will take action to shut down the spammers abusing their services. In the case of websites that is the only SC action, no SCbl entry (though the SURBL, mentioned in one of those other topics indicated, does independently use SC spamvertized site data).

The parser is completely unable to follow redirections but I suppose you might be entitled to add an additional report recipient or two (if you are a paying user) reflecting anything you have found out yourself. (You need to be more than a bit cautious about following redirections by the way.) But anyway, you might then have some difficulty explaining in notes to those additional recipients what is going on since the report won't be indicating their networks. Very few of them are highly motivated towards anti-spamming activity, sadly. And the report has no consequences for them, as said - except if they are actually hard-core spammers, then the consequences could be a bit negative.

Share this post


Link to post
Share on other sites

Hi again Steve. As Steve T says, quite simply you cannot dummy a submission to make the parser find something it couldn't do by itself and then send the report as if the parser had done it all. That's the "material changes" rule - http://www.spamcop.net/fom-serve/cache/283.html You can always use the parser to find reporting addresses with manually altered data but you can't alter the spam that is reported.

Seems frustrating I know but SC relies on INTEGRITY which is closely guarded to maintain credibility and cooperation within the internet community. That's why those other tools are needed (instead of SC reports) and the SCbl handles only e-mail originating IP addresses, not web sites. Reports to the associated network admins are a courtesy only, in the hope they will take action to shut down the spammers abusing their services. In the case of websites that is the only SC action, no SCbl entry (though the SURBL, mentioned in one of those other topics indicated, does independently use SC spamvertized site data).

The parser is completely unable to follow redirections but I suppose you might be entitled to add an additional report recipient or two (if you are a paying user) reflecting anything you have found out yourself. (You need to be more than a bit cautious about following redirections by the way.) But anyway, you might then have some difficulty explaining in notes to those additional recipients what is going on since the report won't be indicating their networks. Very few of them are highly motivated towards anti-spamming activity, sadly. And the report has no consequences for them, as said - except if they are actually hard-core spammers, then the consequences could be a bit negative.

OK, very good. I'll abide by the rules. I registered with knujon.com, am trying to register with complainterator.com (although their site seems to be timing out when I attempt) and I sent an email to see about having the latter two domains added to Bill Stearn's blacklist. WorkFor375.com I noticed is already on the WS list, but that doesn't stop the problem like squashing the domains will. Think I hit all the bases possible.

Share this post


Link to post
Share on other sites

WOW!!! Quick SUCCESS on squashing one of the three domains. Never realized it was so easy.

This is totally FUN!!! :lol:

I am awaiting word on the initial spamvertised domain WorkFor375.com, as well as the end domain where the business is actually done (TrustedSurveys.com). The middle domain that the first one redirects to (TrustedSSurveys.com) is the one I just now got shut down.

Like I said earlier, I should have reported the end domain first. Oh, well.)

What I did on this, was go around the WhoisGuard'ed domain names and go to ARIN to find out who had the IP addresses and was able to find out who hosted the sites that way. Works REALLY great!

At the end, I sent a gloating email to the email address mentioned on the end website that actually does the spamvertised business. I couldn't help myself. Why not? :rolleyes:

Steve

====================

Hello,

Thank you for notifying us.

I have suspended the website trustedssurveys.com.

Sincerely,

Ted Smith

Security Specialist

Endurance International Group

-----Original Message-----

From: Shimon Bakshi

Sent: Tue 08-May-12 14:40

To: cogentabuse

Subject: FW: spammer using IP address registered to you

From: Steve [mailto:steve[at]vwebr.net]

Sent: Tuesday, May 08, 2012 10:43 AM

To: #CustomerRelations

Subject: spammer using IP address registered to you

Hello,

Please forward this to your abuse dept or the dept that handles webhosting or IP services.

The following is information regarding someone who is spamming a work-at-home scam using the domain workfor375.com, which redirects to trustedssurveys.com

The domain trustedssurveys.com (note there is a doubled 's') has been obfuscated because the person is using Namecheap.com's Whoisguard service.

HOWEVER, the IP address that trustedssurveys.com points to is 65.254.250.110.

According to ARIN, that IP address is in your CIDR block.

Can you please look into de-allocating/de-registering that IP address?

I will forward the spam to you with all headers right after this email, but the domain name referred to is clearly in the spam and it redirects to the domain having the IP address in your CIDR block.

Thank you,

Steve Sybesma

Lafayette, CO

720-934-2484

[Querying whois.arin.net]

[whois.arin.net]

#

# Query terms are ambiguous. The query is assumed to be:

# "n 65.254.250.110"

#

# Use "?" to get help.

#

#

# The following results may also be obtained via:

# http://whois.arin.net/rest/nets;q=65.254.2...amp;ext=netref2

#

NetRange: 65.254.224.0 - 65.254.255.255

CIDR: 65.254.224.0/19

OriginAS:

NetName: BIZLAND-FC03

NetHandle: NET-65-254-224-0-1

Parent: NET-65-0-0-0-0

NetType: Direct Allocation

RegDate: 2004-01-06

Updated: 2012-03-02

Ref: http://whois.arin.net/rest/net/NET-65-254-224-0-1

OrgName: The Endurance International Group, Inc.

OrgId: EIG-12

Address: 70 Blanchard Road

City: Burlington

StateProv: MA

PostalCode: 01803

Country: US

RegDate: 2005-02-07

Updated: 2011-09-24

Ref: http://whois.arin.net/rest/org/EIG-12

OrgTechHandle: BBR189-ARIN

OrgTechName: Brock, Brian

OrgTechPhone: +1-781-852-3254

OrgTechEmail: bnbrock[at]maileig.com

OrgTechRef: http://whois.arin.net/rest/poc/BBR189-ARIN

OrgAbuseHandle: BBR189-ARIN

OrgAbuseName: Brock, Brian

OrgAbusePhone: +1-781-852-3254

OrgAbuseEmail: bnbrock[at]maileig.com

OrgAbuseRef: http://whois.arin.net/rest/poc/BBR189-ARIN

OrgNOCHandle: ENO74-ARIN

OrgNOCName: EIG Network Operations

OrgNOCPhone: +1-339-234-9762

OrgNOCEmail: netmon[at]maileig.com

OrgNOCRef: http://whois.arin.net/rest/poc/ENO74-ARIN

#

# ARIN WHOIS data and services are subject to the Terms of Use

# available at: https://www.arin.net/whois_tou.html

#

Edited by ssybesma

Share this post


Link to post
Share on other sites

...Great work, Steve! I suspect you may have happened upon an all-too-rare abuse admin team with a sufficiently low volume of complaints that they actually have a knowledgeable human reading their abuse complaint e-mails. If you tried that with Yahoo, for example, you would have been much more frustrated. :) <g>

Share this post


Link to post
Share on other sites

Maybe the parsing was affected by the recovery period following the system upgrade? Does re-submitting the spam now (and cancelling reports) still show the same? You can save and show the tracking URL for a cancelled report.

[edit] Ah, no, I see that is a mangled spam

Content-Type: multipart/mixed; boundary="----msg_border_9717Cbc7e7"
... but following declaration, no boundaries are set within the HTML body. But ... fixing that doesn't seem to fix the parsing ... yes something seems to be wrong (or I'm not very good at fixing - not that "fixed" spam can be used for a real report anyway).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0